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Abstract. The security of a deterministic quantum scheme for communication, namely the 
LM05 pQ, is studied in presence of a lossy channel under the assumption of imperfect generation 
and detection of single photons. It is shown that the scheme allows for a rate of distillable secure 
bits higher than that pertaining to BB84 We report on a first implementation of LM05 with 
weak pulses. 



1. Introduction 

Deterministic quantum schemes (DQS) for secure communication have recently 
gained interest and diffusion in the field of quantum cryptography [31 ^ , and their 
first experimental 'proofs of principle' have been already completed Despite 
the main achievement of a secure direct communication (A. Beige et al. in pj ) 
is still quite far, DQS can provide better security and higher transmission rates 
in the quantum key distribution (QKD) process than traditional schemes like the 
BB84 0. 

One of these DQS, namely the LM05 pQ, saturates the Holevo bound for 
QKD and is quite practical to implement as it does not require entangle- 
ment to work 0. The security of LM05 against eavesdropping in case the users 
(Alice and Bob) are endowed with a perfect equipment was discussed in pQ. Specif- 
ically LM05 results robust against a general eavesdropping on a noisy but lossless 
channel, and explicit thresholds were given in case of individual attacks by the 
eavesdropper (Eve) ; furthermore a particular strategy by Eve on a noisy and lossy 
channel as described in [Jj was also deemed as detectable by legitimate users. 

In this work we relax the hypothesis of perfect equipment for Alice and Bob. 
We take as photon source an attenuated laser that produces weak pulses; these 
pulses can accidentally (and uncontrollably) contain more than one photon. Fur- 
thermore Bob's detectors are avalanche photodiodes (APD) that either 'click' or 
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'not click', without counting the exact number of photons in the pulse, and have 
nonunitary quantum efficiency and nonzero dark counts probability. It has been 
shown that the conjunction of imperfect devices with a lossy channel jeopardizes 
the security of QKD 8 . The main threat is represented by a photon- number 
splitting attack (PNS) in which an almighty Eve exploits the multiphoton pulses 
to acquire information, whilst concealing her presence behind the expected losses- 
rate 1101 II 1 j . PNS attacks are currently the main limitation to a long-distance 
BB84 realized with weak pulses ["HfllTS] . 

The paper is organized as follows. In section I we review the LM05 protocol 
and describe the PNS attacks against it. In section II we theoretically study the 
security against these attacks in terms of the rate of distillable secure bits. In 
section III we describe the first experimental test of LM05 with weak pulses. 



2. Theory 

The LM05 protocol works as follows pQ. Bob prepares a photon in one of the 
four polarization states |0), |1), |±) = 1/a/2(|0) ± |1)), with |0), |1) eigenstates of 
the Pauli operator a z , and sends it to Alice. With probability c Alice measures the 
photon (control mode, CM) as she would do in the BB84 protocol. This guarantees 
that the scheme is at least as secure as the BB84. Otherwise, with probability 1 — c, 
she uses the photon to encode a bit (message mode, MM) by flipping (logical value 
T') or not flipping (logical value '0') it. After that she sends the photon back to 
Bob. To flip the photon without knowing its state Alice uses the operation ia y , 
that acts as a universal 'equatorial NOT' gate [Tl|- Bob can deterministically 
decode Alice's message by measuring the qubit in the same basis he prepared it, 
without demand for a classical channel. We point out that LM05 does not allow for 
a direct communication when the channel is noisy or lossy. As explained in ^H] it 
is not possible so far to achieve both a reliable and secure delivery of a message: if 
one uses the error correction protocol |16| I17j to make the communication reliable 
Eve can capture a non negligible amount of information, while if one uses the 
privacy amplification protocol JH] to make the communication secure Bob has 
no means to reconstruct Alice's original message. Whether a secure and reliable 
direct communication in presence of noise or losses is really possible is still an open 
question. 

In the following we describe two PNS attacks, that provide full information to 
Eve while remaining completely undetected. Notwithstanding the analysis includes 
also strategies of the same kind that are only partially informative to Eve: with 
privacy amplification ^Sj Alice and Bob can remove any remaining information 
from Eve, according to what explained in |12j . 

When the photon source is a laser attenuated with an average photon number 
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per pulse /i, the probability to have n photons in a single pulse is given by [T§] : 

P n ( M ) = ^ e -M (1) 

A typical value used for /j, in the experiments is 0.1 that gives Pq ~ 9 • 10 _1 , Pi ~ 
9-10~ 2 , P 2 ~ 4.5 -10~ 2 , and so on. This means that with a probability P n (//) Bob 
prepares the state 

\*pf n = (2 ) 
n times 

rather than the desired state \tp) (ip indicates one of the four polarizations of the 
photon prepared by Bob). 

It is known (Lutkenhaus's suggestion in [20] ) that when n = 3 it exists a mea- 
surement A4 that provides a conclusive result about the absolute polarization ip 
with (optimal) probability 1/2. Eve can exploit this fact to eavesdrop on LM05 
protocol in the following way. She performs a quantum nondemolition measure- 
ment (QND) on the pulses as soon as they exit Bob's station; this can be done 
without perturbing the polarization ip. When she finds n < 3 she blocks the pulses. 
On the pulses with at least three photons she executes M and if the outcome is not 
conclusive she blocks these pulses as well. When n > 3 and the outcome of M is 
conclusive she prepares a new photon in the right state ip and forwards it to Alice. 
Until here this attack is completely analogous to the 'IRUD-attack' described in 
|2()| . The only variant is that Eve waits for Alice encoding and measures again the 
photon on the backward trip, to know whether it has been flipped (in this case 
she finds the orthogonal state k^)) or not (she finds \ip)). Since Eve did know ip, 
she can extract Alice's information without perturbing the state. After that she 
forwards the photon in the correct state to Bob. We call this first attack PNS^vf. 

A second attack is more peculiar to LM05. This time suppose that n = 2 
and call the two photons in the pulse p\ and p2- As before Eve can know the 
number of photons per pulse through a QND measure. When n < 2 Eve blocks 
the pulses. When n = 2 she stores p\ and forwards p 2 to Alice; this let her 
remain undetected during a possible CM on the forward path. On the way back 
Eve captures again p2- To gain Alice's information she must decide whether the 
polarizations of p\ and p 2 are parallel or antiparallel: in the first case she would 
deduce the logical value '0'; in the second case she would deduce '1'. But the 
discrimination between parallel and antiparallel spins is not as simple as it appears 
at a first glimpse: while the parallel-spin-state \P) = \ip) Pl \tP)p 2 is symmetric, the 
antiparallel-spin-state \ AP) = \ip) pi \'P~ L )p2 is neither symmetric nor antisymmetric. 
Upon symmetrizing \AP) we can realize that it is not orthogonal to |P), and by 
consequence it is not perfectly distinguishable from it (we remand to |2j, j22] for 
a complete treatment of this problem). Actually an optimal measurement M' is 
a nonlocal one and gives Eve a conclusive result (between |P) and \AP)) with a 
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probability 1/4 Hence Eve can block all the 'inconclusive' pulses to gain full 
information and still remain undetected. However it remains open the question 
of which photon must Eve forward to Bob. The measurement Ai' consists in a 
generalized measurement with projectors in the four-dimensional Hilbert space 
given by: U P ^ P2 = U)^) - IV^M] ® [(^1(^1 - (^1(^0/2 and n^' P2 = 
I 4 — n^ 1,P2 . The conclusive answer is related to the antisymmetric state n^' P2 . 
Upon obtaining this result Eve does not know whether to give Bob the state or 
the state \ip ± ), because she ignores the absolute value of ip prepared by Bob. This 
shows that two photons are not sufficient for a perfect eavesdropping with Ai'. 
Yet the complete attack can be accomplished with an additional photon ^3: Eve 
should store P3, execute A4', and eventually encode ps according to the conclusive 
outcome of Ai'; the photon prepared in this way can be forwarded to Bob without 
risk of detection. 

The above analysis establishes that a perfect (i.e. with zero QBER) eavesdrop- 
ping can be realized with at least three photons in a pulse. It also establishes that 
the measurement Ai represents a more powerful resource for Eve than Ai 1 , for a 
number of reasons: it gives information on the complete polarization state ip of 
the photons, not only on Alice's operation; the probability of conclusive results 
is 1/2 rather than 1/4; Eve knows about the conclusiveness of her measurement 
immediately, rather than after Alice's encoding, and can use this information to 
improve her strategy. For these reasons hereafter we only study the robustness of 
the scheme against the PNS^vi attacks. We do it following Liitkenhaus's approach 
in [12]. 

Bob prepares photons with a phase-averaged weak-pulse laser; the statistics of 
the photons in each pulse is described by Eg-lfl")!. Given a forward-and-backward 
lossy channel with transmissivity tn n k, and with reference to the MM runs of 
the protocol, we see that the encoded photons are revealed by Bob's APDs with 
average probability: 

p swn = ! _ e -MBtu nk „ mB t Unk , ( 3 ) 

where the approximation is valid for small values of the exponent, t/b is the 
quantum efficiency of Bob's detectors; tu n k = 10~( a ' +rc " 10 is the transmissivity 
of the channel, where a is the absorption coefficient |23j . I is the distance (in Km) 
between the place in which the photon is prepared and the place in which it is 
detected, and T c is a constant total loss-rate given by Alice's encoding equipment 
and Bob's measuring apparatus. To the signal revealed by Bob contribute also the 
dark counts per gating windows, ds, from his (two) detectors: Pa% rk = 2ds, for a 
total signal probability equal to 

„ _ n sign 1 dark _ sign dark ( a\ 

Pav — Fav ^ y av y av p av , 

where the last term represents the probability of a coincidence between a dark 
count and a true signal photon. Now we can write the necessary condition for 
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security against the PNS.M attacks as: 

Pav>P= \Pn=Z (M) + Pn>3 (^) = 1 " (l + ^ + y + ~y) e"" (5) 

In Eq.(J5J) we conservatively assumed that the probability of a conclusive outcome 
from M for more than three photons in a single pulse is 1. The meaning of the 
above formula is that when the loss-rate is too high the probability to detect a 
signal photon becomes smaller and smaller, eventually letting Eve conceal under 
the expe — P) , 
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Fig. 1: Secure rate versus transmittance for the protocols LM05 (continuous line) 
and BB84 (dotted line) with the following parameters: /x = 1, r\s = 1, T c = 0. 
The 'secure rate' is defined by (pav™ — P) for LM05 and by (pav™ — P*) for BB84. 
See text for the explicit expressions of pav™, P and P*. 

that defines the security region of LM05, versus the transmittance of the channel 
tiink-, after setting /i = 1, tjb = 1 and T c = 0. We also plotted the analogous curve 
for BB84 under the same settings. The purpose is to show for which values of tu n j- 
the two protocols are secure against PNS attacks. It can be noted that despite the 
quite high value of \x the security of LM05 is attained for almost all the values of 
tii n k- In order to reduce the probability on the right side of Eq.(JSJ) and increase 
the security of the scheme we could decrease the value of \i\ however in this way 
also the probability to detect a signal (Eq.©) will decrease. So there must be a 
tradeoff between these two opposite requirements (security and signal rate) that 
defines an optimality region for the scheme. 

The tradeoff can be studied through the 'gain of secure bits' defined in [12] . 
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that we rewrite here for LM05 protocol: 

G sec = Vav W ~ T ') ~ fcasch (e)] ; r' = t (e/(3) . (6) 

It represents the fraction of secure bits that can be distilled from the transmitted 
bits after the procedures of error correction |161 117j and privacy amplification ^S] . 
P = (Pav — P) I Vav > is the security parameter: until it is positive the protocol 
is secure against PNS^ attacks. f caS c is a function defined in jTT] that takes into 
account the imperfect (although efficient) error correction procedure performed 
with the Cascade protocol; h (e) is the Shannon entropy for the QBER e; r is 
the fraction of the error-corrected key which has to be discarded during privacy 
amplification when only single-photon pulses are taken into account [25]; it is a 
function of the QBER and amounts to |25]: r(e) = log 2 (l+4e-4e 2 ) for < e < 1/2 
and r(e) = 1 for 1/2 < e < 1. Finally t' in Eq.(|fi|l represents the fraction of bits to 
discard after taking into account multiphoton pulses: it amounts to r scaled with 
the security parameter f3. The QBER e is given by the experiment according to 
the following expression e = (n err + ri£)/2)/ntot, where the number of error 

bits in the sifted key, no is the number of 'ambiguous' double clicks in Bob's APDs 
and ntot is the total number of used bits. The importance of njj is theoretical: 
usually tid <C n err , and it can be completely neglected. 

In FigEl the gain G sec for both LM05 (continuous lines) and BB84 (dotted 
lines) is plotted as a function of the distance between Alice and Bob. We note 
that when Alice-Bob distance is I the total distance between the creation of the 
photon and its final detection is I for the BB84, and 21 for the LM05, due to the 
double usage of the quantum channel. The BB84 implementation we adopted for 
comparison with LM05 is the one reported in Ref. [21] for the first optical fiber 
communication window at wavelength around 0.8/um. It is worthwhile noting that 
the secure gain has a maximum in fi for every fixed length I. Hence the pictures in 
Fig|2]have been obtained by fixing four values of / {l\ = 1.5, li = 3, Is = 4.5, l± = 6 
Km respectively plot a, b, c, d) both for LM05 and BB84, and finding the values 
Hi that provide a maximum for G sec (/ij|Zj). We allowed ^ to be different in BB84 
and LM05. Vertical lines have been drawn at the typical distances (i = 1, ...4). 
The maximum distance for both the protocols is between 6 and 7 Km for the 
parameters given in the caption of FigEl It can be seen that in correspondence 
of the vertical lines l\, I2, h (plots a, b, c) the LM05 curves are above the BB84 
curves, while it is the opposite for Z4 (plot d). This means that for almost all the 
relevant distances between Alice and Bob, the LM05 allows for a better gain of 
secure bits, that directly reflects in higher distribution rates of secure bits between 
the users. The improvement on small and medium distances has two reasons: the 
first is the deterministic nature of the protocol, that doubles the rate by removing 
the basis reconciliation procedure; this reflects in a factor 2 for G sec pertaining to 
LM05 respect to that pertaining to BB84 ^2]. The second reason is the two-way 
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Fig. 2: Secure rate vs Alice-Bob distance given the PNS attacks described in the 
text. A = 830 nm, a = 2.5 dB/Km, r c = 8 dB, d B = 5 x 1CT 8 counts/slot, 

T]B = 0.5. 

channel, that provides the probability P of Eq.© considerably smaller than the 
analogous of BB84, given by P* = P n >2 (m) = 1 — (1 + A 4 ) e_/1 - It should be noticed 
that the same double channel also implies a higher total loss-rate for LM05; then 
the increased gain of secure bits is a non trivial result. 

3. Experiment 

The experimental test of LM05 for QKD is realized exploiting non-orthogonal 
polarization states of near infrared photons (see FigE]). 

The photon source is a pulsed diode laser (Picoquant PDL 808) at 810nm with 
a repetition rate of 20MHz, pulse width 88ps FWHM. A pulse generator is used 
as sync source for the laser diode and a detection circuit. The light pulses are first 
split in two, one half goes at Bob's side for the initial state preparation for both 
CM and MM runs, the other half is sent to Alice for the CM runs. 

The first stage of the protocol is the preparation at Bob's side of the qubits, 
encoded using a A/2 waveplate (Pi), in four polarization linear states of the light 
pulses attenuated to an average number of photons per pulse of /i = (0.118 ± 
0.002). The prepared photons are launched into 5m long single mode fibers at 
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Fig. 3: Experimental setup (see text for details). Inset - a typical communica- 
tion test for different sets of preparation by Bob and operation by Alice. Bobs 
preparation is reported on the overlay (a z and a x eigenstates). Alices encoding 
is represented by the lighter gray area for / (logical '0'), and darker gray for ia y 
(logical '1'). The black area represents the distribution of the QBER. 



810nm (Thorlabs P1-830A-FC) connecting Alice and Bob. Before every test the 
fiber was aligned using polarization control pads (Thorlabs FPC-560) so that any 
polarization input state exits almost unchanged [the fibers proved to remain stable 
for quite long periods (~ 4h), enough for several runs after the alignment]. The 
second stage is at Alice's side. The switch between CM and MM is passively 
realized via a 50/50 BS. Control Mode: The photons are polarization analyzed by 
a set composed by a A/2-waveplate (WP2), a polarizing BS (PBS2) and two APD 
(PerkinElmer SPCM-AQR-13-FC) modules with quantum efficiency r/s ~ 50% at 
810nm and dark counts ~ 300cps (Ao and Ai). The counts rates are measured in 
a 8ns time window triggered by the sync source, giving a dark counts per gating 
windows cLb ~ 2.4 x 10 -6 . To complete the control mode, Alice injects in the BS, 
used for switching from CM to MM, a light pulse generated by the second half of 
the pulse originated from the diode laser. The pulses are polarization encoded in 
similar fashion as at Bob's side (P2), and attenuated to a mean photon number 
per pulse almost 1/20 of the MM one [27]. A couple of A/2 waveplates (WP2,3) 
are used to realize the I and the ia y operators necessary for the Message Mode 5 . 
As last step, the photon travels back to Bob through a different fiber, 5m long too, 
with a polarization control pads. 

The photons coming from Alice are eventually polarization-analyzed at Bob's 
side by PBS3 and a A/2 waveplate (WP4) set so that the photons are measured in 
the same basis as they were prepared. The photons are collected after the PBS3 
into two multimode fibers and then detected by two APD modules, Bq and B\. 
Counts out of Bq and B\ in a 8ns time window triggered to the sync source, can 
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be associated to logical values '0' and '1' corresponding to Alice encoding in the 
MM runs. A typical result of a communication test is reported in the inset of Fig|3] 
for different state preparations performed by Bob and different encodings by Alice 
(all the eight configurations of interest). 

In our experimental tests we estimated the total QBER as e = n err /rit t, where 
n to t is the total number of counts and n err the counts in the 'wrong' detector. The 
best value we obtained for e is (0.0248 ± 0.0001). We have estimated a probability 
of 'ambiguous' double clicks njj/ntat ~ 9 x 10 -4 , a factor ~ 30 lower than the 
probability of error bits e, i.e. we can approximate n error ~ n err (see discussion 
before Fig. |2j). The channel transmissivity is estimated to be tu n k ~ 0.27 giving 
T c ~ 5.7dB. These parameters allow to estimate the 'secure bits gain', G sec , for 
LM05 and BB84 to be 0.018 and 0.006, respectively. With a 20MHz repetition 
rate laser this entails the possibility to distribute secret bits with LM05 at ~ 360 
kbits/s, 3 times higher than BB84 (~ 120 kbits/s). The mean photon number 
used in the experiment represents the optimal [i for distances up to ~ 3 Km. 

4. Conclusion 

Our study shows the security of the LM05 protocol against a class of PNS 
attacks, based on imperfections of Alice and Bob's equipment. As a byproduct 
we found that LM05 allows for higher distribution rates of secure bits respect to 
the BB84, for almost all the relevant distances between Alice and Bob. In our 
analysis we made the implicit assumption that Eve is clever enough not to alter 
the statistics of the losses counted by Alice and Bob |S2]- This means that in 
the frame of PNSyvj attacks Eve should distribute her 'blocking action' on both 
the paths (to and fro) between Alice and Bob, otherwise resulting more easily 
detectable. 

Furthermore we have reported on the first experimental test of LM05 imple- 
mented with weak coherent state at 0.8/xm. We have measured a QBER e ~ 0.024 
for a communication distance of 5m, which for the parameters of our setup allows 
for a secure bit rate ~ 3 times higher than BB84 for distances up to ~ 3 Km. 

This work has been supported by the European Commission through the Inte- 
grated Project 'Scalable Quantum Computing with Light and Atoms' (SCALA), 
Contract No 015714, 'Qubit Applications' (QAP), Contract No 015848, funded 
by the 1ST directorate, and the Ministero della Istruzione, dellUniversita e della 
Ricerca ((FIRB-RBAU01L5AZ and PRIN-2005024254)). 
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